Security vunerability for Windows CE posted

[windows]

A security vunerability for Windows CE posted in the US-CERT Cyber Security Bulletin.

Multiple unspecified vulnerabilities in the JPEG (GDI+) and GIF image processing in Microsoft Windows CE 5.0 allow remote attackers to execute arbitrary code via crafted JPEG and GIF images.

For more details see National Vulnerability Database (CVE-2008-2160)

And update is available from Microsoft here.

[debonairone]

Ok, here we go again... how long before I truly have to worry about browsing using my device...? PLEASE LET US BE... all we wanna do is enjoy our devices, like the truly addicted people we are...

[windows]

Yeah but with this one MS do seem to acknowledge it and a fix issued.

[debonairone]

It's not the fact that the vulnerability exists, it's the fact that there are those that will exploit it that bothers me... As intelligent as they are, please put that gray matter to use for my benefit, not the opposite...

But I am grateful that M$ has acknowledged it and issued a patch...

Deb.

[windows]

Yep, unfortunately there are always idiots out there who will take advanage of such things!

[waveydavey]

I agree with Jeff, the sad fact is that some of these virus writer types are very talented individuals. If only they'd put their talent to helping the community imagine how quickly the software world could progress. They might even make a buck or two too.

[Bassey]

For a long time mobile OSs have been considered far more secure than their desktop brethren. One of the (several) reasons for this was the lack of a permanant internet connection. As many people are now keeping their data connections permanantly open, thanks to all you can eat data plans, this restriction has dissappeared.

Still, devices are set up by default to ask the user before installing apps and to ask before sending data so they are pretty secure with a bit of common sense. I wonder how long it will be, though, before these things are bypassed for the sake of "ease of use", particularly in a corporate sense.

It makes huge sense to be able to bypass user interaction when deploying software, updates, sending data etc. from a Corporate standpoint. If you're deploying an update to 1000 devices you want minimum interaction. However, once the facilities are in the OS, it's only a matter of time before someone comes up with a way of exploiting it.

[bydandie]

Is it just me, or what was the point of having the update facility in WM? The patch has to be built into the base build, so HTC would have to package it into their ROM builds AFAIK.

It also requires user input as below

"Access Vector: Network exploitable , Victim must voluntarily interact with attack mechanism"

So in terms of bang for buck it really isn't the type of thing that would be attractive to cybercrime when there are far better vulnerable systems with a guaranteed fast internet connection.

[debonairone]

Ha... Good point... I even tried using the update facility, just to see what would be updated, at least while the cooks left it in the rom...

As for the why would anyone bother with WM devices, the singular (not to be confused with Cingular) question would be, "I wonder if I can..?" And once they can, everyone can...

[bydandie]

Quote:

Originally Posted by debonairone

Ha... Good point... I even tried using the update facility, just to see what would be updated, at least while the cooks left it in the rom...

As for the why would anyone bother with WM devices, the singular (not to be confused with Cingular) question would be, "I wonder if I can..?" And once they can, everyone can...

The point though Deb is that almost all attacks have been for financical gain over the past four yeafs. Almost all attacks form part of the botnet cycle to gather information from systems. The fact remains that exploits like GDI rely on a feaure-rich browser and enough bandwidth to download the payload. Neither of which is prevalent in WM devices and the market share of WM is miniscule compared to all other smartphones.

Posted via Mobile Device